IN THE CLAIMS: 



1 . (Currently Amended) A method of performing encrypted WLAN (Wireless Local 
Area Network) communication, the method comprising the s t eps of : 

operating driver software to perform a connection set-up for said encrypted 
WLAN communication; and 

operating a WLAN chip to perform data frame encapsulation and decapsulation 
during said encrypted WLAN communication; 

wherein said connection set-up is performed by executing software-implemented 
instructions of said driver software without exchanging intermediate data with 
said WLAN chip, wherein performing said connection set-up comprises 
exchanging cryptographic keys between a WLAN station and another WLAN 
station and/or a WLAN access point; 

wherein said data frame encapsulation and decapsulation is performed on a 
single-purpose hardware of said WLAN chip without executing software- 
implemented instructions of said driver software, wherein performing said 
encrypted WLAN communication further comprises obtaining a plurality of data 
frames intended for said data frame encapsulation from driver software, wherein 
of performing said data frame encapsulation comprises calculating an integrity 
value appropriate for verifying integrity of one of the plurality of data frames 
once said data frame decapsulation is completed; and 

wherein performing said encrypted WLAN communication further comprises 
selecting one of the plurality of data frames for said data frame encapsulation by 
performing a prioritization algorithm implemented on the single-purpose 
hardware. 
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2. (Original) The method of claim 1, wherein the step of performing said connection 
set-up comprises authenticating a WLAN station by another WLAN station and/or 
a WLAN authentication server. 

3. (Original) The method of claim 1 ? wherein the step of performing said connection 
set-up comprises associating a WLAN station with another WLAN station and/or 
a WLAN access point as WLAN communication counter-parts. 

4. (Cancelled). 

5. (Cancelled). 

6. (Previously Presented) The method of claim 1 ? wherein the step of obtaining the 
plurality of data frames comprises obtaining a plurality of data frames comprising 
cipher information indicating a determining factor for performing the data frame 
encapsulation and/or decapsulation. 

7. (Original) The method of claim 6, wherein said determining factor comprises a 
way in which a data frame intended for the data frame encapsulation is 
fragmented. 

8. (Original) The method of claim 6, wherein said determining factor comprises a 
cipher protocol suitable for performing the data frame encapsulation. 

9. (Original) The method of claim 6 ? wherein said determining factor comprises a 
cryptographic key suitable for encrypting a data frame. 

10. (Cancelled). 

1 1 . (Previously Presented) The method of claim 1 5 wherein the step of performing 
said data frame encapsulation comprises inserting a package number and/or 
sequence number into one of the plurality of data frames. 
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12. (Previously Presented) The method of claim 1, wherein the step of performing 
said data frame encapsulation comprises encrypting at least part of one of the 
plurality of data frames. 

13. (Cancelled). 

14. (Previously Presented) The method of claim 1, wherein the step of performing 
said data frame encapsulation comprises encrypting said integrity value. 

15. (Previously Presented) The method of claim 1, wherein the step of performing 
said data frame encapsulation comprises inserting the encrypted integrity value 
into one of the plurality of data frames. 

16. (Original) The method of claim 1, wherein performing said encrypted WLAN 
communication further comprises receiving a data frame intended for said data 
frame decapsulation from a WLAN station and/or WLAN access point. 

17. (Previously Presented) The method of claim 1, wherein the step of performing 
said data frame decapsulation comprises obtaining cipher information indicating a 
determining factor for performing the data frame encapsulation and decapsulation 
from a storage unit within the single-purpose hardware. 

18. (Original) The method of claim 17, wherein said determining factor comprises a 
cipher protocol suitable for performing the data frame decapsulation. 

19. (Original) The method of claim 17, wherein said determining factor comprises a 
cryptographic key suitable for decrypting a data frame. 

20. (Original) The method of claim 16, wherein the step of performing said data 
frame decapsulation comprises decrypting at least part of the data frame. 

21. (Original) The method of claim 20, wherein the data frame comprises an 
encrypted integrity value appropriate for verifying integrity of the data frame once 
said data frame decapsulation is completed, and the step of decrypting at least part 
of the data frame comprises decrypting the encrypted integrity value. 
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22. (Original) The method of claim 21, wherein the step of performing said data 
frame decapsulation further comprises calculating the integrity value from at least 
part of the data frame except the encrypted integrity value. 

23. (Original) The method of claim 22, wherein the step of performing said data 
frame decapsulation further comprises calculating an integrity verification value 
indicating a difference between the decrypted integrity value and the calculated 
integrity value. 

24. (Original) The method of claim 23, wherein the step of performing said data 
frame decapsulation further comprises inserting said integrity verification value 
into the data frame. 

25. (Original) The method of claim 24, wherein performing said encrypted WLAN 
communication further comprises performing counter-measures according to said 
integrity verification value by executing software-implemented instructions, 
wherein said counter-measures are suitable for limiting the amount of information 
available to an illegitimate WLAN protruder. 

26. (Previously Presented) The method of claim 1, wherein the step of performing 
said data frame encapsulation and decapsulation comprises generating 
cryptographic data suitable for encrypting or decrypting a data frame. 

27. (Original) The method of claim 26, wherein the step of generating cryptographic 
data comprises generating authentication data suitable for encrypting a data frame 
in a manner specific to a WLAN station or decrypting a data frame encrypted in a 
manner specific to a WLAN station. 

28. (Original) The method of claim 1, wherein said encrypted WLAN communication 
is performed based on the IEEE 802.1 li security standard. 

29. (Original) The method of claim 1, wherein said encrypted WLAN communication 
is performed in a WLAN based on the IEEE 802.1 lb standard. 



5 



30. (Original) The method of claim 1, wherein said software-implemented 
instructions are executed on general-purpose hardware by driver software. 

31. (Original) The method of claim 1, wherein said single-purpose hardware is 
operated periodically. 

32. (Original) The method of claim 31, wherein said single-purpose hardware is 
operated periodically at 1 1MHz. 

33. (Previously Presented) The method of claim 31, wherein said data frame 
encapsulation and decapsulation is performed according to the TKIP (Temporal 
Key Integrity Protocol) protocol. 

34. (Previously Presented) The method of claim 33, wherein the step of performing 
said data frame encapsulation and decapsulation comprises performing RC4 
(Rivest's Cipher 4) encryption and/or decryption. 

35. (Original) The method of claim 34, wherein said RC4 encryption and/or 
decryption is performed by operating at least part of the single-purpose hardware. 

36. (Original) The method of claim 35, wherein said part of the single-purpose 
hardware has a tree structure. 

37. (Original) The method of claim 36, wherein said RC4 encryption and/or 
decryption is performed by operating only a sub-part of the single-purpose 
hardware corresponding to the tree root, part of the tree leaves and the tree 
components interconnecting the tree root with said part of the tree leaves. 

38. (Original) The method of claim 37, wherein said sub-part of the single-purpose 
hardware corresponds to the tree root, two of the tree leaves and the tree 
components interconnecting the tree root with said two of the tree leaves. 

39. (Original) The method of claim 34, wherein the step of performing said RC4 
encryption and/or decryption comprises encrypting or decrypting at least part of a 
data frame comprising bytes, and said RC4 encryption and/or decryption is split 
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over at least two operating periods of the single-purpose hardware to encrypt or 
decrypt one byte of the data frame. 

40. (Previously Presented) The method of claim 31, wherein said data frame 
encapsulation and decapsulation is performed according to the CCMP (Counter- 
mode Cipher block chaining Message authentication code Protocol) protocol. 

41. (Previously Presented) The method of claim 40, wherein the step of performing 
said data frame encapsulation and decapsulation comprises performing CCMP- 
AES (Advanced Encryption Standard) encryption and/or decryption. 

42. (Original) The method of claim 41, wherein the step of performing said CCMP- 
AES encryption and/or decryption comprises encrypting or decrypting at least 
part of a data frame comprising bytes, and said CCMP-AES encryption and/or 
decryption is performed by repeatedly performing a sequence of encryption or 
decryption steps on said part of the data frame. 

43. (Original) The method of claim 42, wherein the step of performing the sequence 
of encryption or decryption steps comprises performing byte substitution using a 
plurality of cryptographic substitution boxes. 

44. (Original) The method of claim 43, wherein the step of performing byte 
substitution on said part of the data frame comprises sequentially performing the 
byte substitution on a plurality of sub-parts of said part of the data frame. 

45. (Original) The method of claim 42, wherein the step of performing the sequence 
of encryption or decryption steps is split over at least two operating periods of the 
single-purpose hardware. 

46. (Previously Presented) A single-purpose hardware device for performing data 
frame encapsulation and decapsulation during encrypted WLAN (Wireless Local 
Area Network) communication, comprising: 

internal hardware components; and 
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an interface for communicating with an external hardware component configured 
to perform a connection set-up for the encrypted WLAN communication by 
executing software-implemented instructions of driver software without 
exchanging intermediate data with the single-purpose hardware device, wherein 
performing said connection set-up comprises exchanging cryptographic keys 
between a WLAN station and another WLAN station and/or a WLAN access 
point; 

wherein said internal hardware components comprise internal single-purpose 
hardware components configured to perform the data frame encapsulation and 
decapsulation without executing software-implemented instructions of said driver 
software once the connection set-up is completed, wherein performing said data 
frame encapsulation comprises calculating an integrity value appropriate for 
verifying integrity of one of the plurality of data frames once said data frame 
decapsulation is completed; 

wherein performing said encrypted WLAN communication comprises obtaining a 
plurality of data frames intended for said data frame encapsulation from driver 
software; and 

wherein said single-purpose hardware device is further configured to select one of 
the plurality of data frames for said data frame encapsulation by performing a 
prioritization algorithm implemented on the single-purpose hardware. 

47. (Original) The single-purpose hardware device of claim 46, wherein said internal 
hardware components further comprise an internal memory for storing data 
frames intended for or resulting from the data frame encapsulation or 
decapsulation. 

48. (Original) The single-purpose hardware device of claim 47, wherein said internal 
memory comprises an arbitration unit for performing memory access control. 

49. (Previously Presented) The single-purpose hardware device of claim 47, wherein 
said internal memory comprises a hash memory for storing cipher information 
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indicating a determining factor for performing the data frame encapsulation and 
decapsulation. 

50. (Previously Presented) The single-purpose hardware device of claim 49, wherein 
said determining factor comprises a cipher protocol suitable for performing the 
data frame encapsulation and decapsulation. 

51. (Original) The single-purpose hardware device of claim 49, wherein said 
determining factor comprises a cryptographic key suitable for encrypting or 
decrypting a data frame. 

52. (Previously Presented) The single-purpose hardware device of claim 47, wherein 
said internal hardware components further comprise a radio transceiver 
configured to receive data frames from and transmit data frames to a WLAN 
station and/or WLAN access point. 

53. (Previously Presented) The single-purpose hardware device claim 52, wherein 
said internal single-purpose hardware components comprise a cryptographic 
component for performing the data frame encapsulation and decapsulation and a 
MAC (Medium Access Control) component for communicating with the radio 
transceiver. 

54. (Original) The single-purpose hardware device of claim 53, wherein said 
cryptographic component and said internal memory are arranged to communicate 
with each other. 

55. (Original) The single-purpose hardware device of claim 53, wherein said 
cryptographic component and said MAC component are arranged to communicate 
with each other. 

56. (Original) The single-purpose hardware device of claim 53, wherein said MAC 
component and said internal memory are arranged to communicate with each 
other. 
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57. (Original) The single-purpose hardware device of claim 53, wherein said internal 
memory is arranged to communicate, over the interface, with the external 
hardware component. 

58. (Cancelled). 

59. (Original) The single-purpose hardware device of claim 46, wherein at least one 
of said internal single-purpose hardware components is capable of inserting a 
packet number and/or sequence number into a data frame. 

60. (Original) The single-purpose hardware device of claim 46, wherein at least one 
of said internal single-purpose hardware components is capable of generating 
cryptographic data suitable for encrypting or decrypting a data frame. 

61. (Original) The single-purpose hardware device of claim 60, wherein said at least 
one of the internal single-purpose hardware components is capable of generating 
cryptographic data comprising authentication data suitable for encrypting a data 
frame in a manner specific to a WLAN station or decrypting a data frame 
encrypted in a manner specific to a WLAN station. 

62. (Previously Presented) The single-purpose hardware device of claim 46, wherein 
said internal single-purpose hardware components are for performing the data 
frame encapsulation and decapsulation according to the TKIP (Temporal Key 
Integrity Protocol) protocol; 

wherein at least part of the internal single-purpose hardware components further 
is for performing RC4 (Rivest's Cipher 4) encryption and/or decryption; and 

wherein said part of the internal single-purpose hardware components is adapted 
to perform the RC4 encryption and/or decryption on at least part of a data frame 
comprising bytes. 

63. (Original) The single-purpose hardware device of claim 62, wherein said part of 
the internal single-purpose hardware components has a tree structure; and 
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wherein said part of the internal single-purpose hardware components is further 
adapted to perform the RC4 encryption and/or decryption on one byte by 
operating only a sub-part of said part of the internal single-purpose hardware 
components, said sub-part corresponding to the tree root, part of the tree leaves 
and the tree components interconnecting the tree root with said part of the tree 
leaves. 

64. (Original) The single-purpose hardware device of claim 63, wherein said sub-part 
of said part of the internal single-purpose hardware components corresponds to 
the tree root, two of the tree leaves and the tree components interconnecting the 
tree root with said two of the tree leaves. 

65. (Original) The single-purpose hardware device of claim 62, wherein said single- 
purpose hardware device is operated periodically; and 

wherein said part of the internal single-purpose hardware components is adapted 
to perform the RC4 encryption and/or decryption on one byte by splitting the RC4 
encryption and/or decryption over at least two operating periods of said single- 
purpose hardware device. 

66. (Previously Presented) The single-purpose hardware device of claim 46, wherein 
said internal single-purpose hardware components are for performing the data 
frame encapsulation and decapsulation according to the CCMP (Counter-mode 
Cipher block chaining Message authentication code Protocol) protocol; 

wherein at least part of the internal single-purpose hardware components further 
is for performing CCMP-AES (Advanced Encryption Standard) encryption and/or 
decryption on at least part of a data frame comprising bytes by repeatedly 
performing on said part of the data frame a sequence of encryption and/or 
decryption steps comprising byte substitution; and 

wherein said part of the internal single-purpose hardware components comprises a 
plurality of cryptographic substitution boxes for performing the byte substitution. 



11 



67. (Original) The single-purpose hardware device of claim 66, wherein said plurality 
of cryptographic substitution boxes is adapted to perform the byte substitution on 
said part of the data frame by sequentially performing the byte substitution on 
sub-parts of said part of the data frame. 

68. (Original) The single-purpose hardware device of claim 66, wherein said single- 
purpose hardware device is operated periodically; and 

wherein said internal single-purpose hardware components are adapted to perform 
the sequence of encryption and/or decryption steps by splitting said sequence over 
at least two operating periods of the single-purpose hardware device. 

69. (Previously Presented) An integrated circuit chip for performing data frame 
encapsulation and decapsulation during encrypted WLAN (Wireless Local Area 
Network) communication, comprising: 

internal integrated circuits; and 

at least one data bus for communicating with an external CPU (Central Processing 
Unit) configured to perform a connection set-up for the encrypted WLAN 
communication by executing software-implemented instructions, wherein said 
connection setup is performed by driver software without exchanging 
intermediate data the integrated circuit chip, wherein performing said connection 
set-up comprises exchanging cryptographic keys between a WLAN station and 
another WLAN station and/or a WLAN access point; 

wherein said internal integrated circuits comprise internal single-purpose 
integrated circuits configured to perform the data frame encapsulation and 
decapsulation without executing software-implemented instructions of said driver 
software once the connection set-up is completed, wherein performing said data 
frame encapsulation comprises calculating an integrity value appropriate for 
verifying integrity of one of the plurality of data frames once said data frame 
decapsulation is completed; 
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wherein performing said encrypted WLAN communication comprises obtaining a 
plurality of data frames intended for said data frame encapsulation from driver 
software, and further comprises selecting one of the plurality of data frames for 
said data frame encapsulation by performing a prioritization algorithm 
implemented on the single-purpose integrated circuit. 

70. (Cancelled). 

71. (Previously Presented) A computer system for performing encrypted WLAN 
(Wireless Local Area Network) communication, comprising: 

first means for performing a connection set-up for said encrypted WLAN 
communication, wherein performing said connection set-up comprises 
exchanging cryptographic keys between a WLAN station and another WLAN 
station and/or a WLAN access point; and 

second means for performing data frame encapsulation and decapsulation during 
said encrypted WLAN communication, wherein said data frame encapsulation 
performed by said second means includes calculating an integrity value 
appropriate for verifying integrity of one of the plurality of data frames once said 
data frame decapsulation is completed; 

wherein said first means is for performing the connection set-up by executing 
software-implemented instructions of driver software without exchanging data 
with said second means; and 

wherein said second means comprises a single-purpose hardware device, and 
wherein said second means is configured to perform without executing software- 
implemented instructions of said driver software; 

wherein performing said encrypted WLAN communication comprises obtaining a 
plurality of data frames intended for said data frame encapsulation from driver 
software, and selecting one of the plurality of data frames for said data frame 
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encapsulation by performing a prioritization algorithm implemented in said 
second mean. 

72. (Previously Presented) The method as recited in claim 1, wherein the single- 
purpose hardware is a circuit dedicated for performing encapsulation and 
decapsulation without execution of any software instructions. 

73. (Previously Presented) The method as recited in claim 72, wherein the single- 
purpose hardware is coupled to receive plaintext data from the driver software, 
and wherein the single-purpose hardware is further coupled to provide 
decapsulated data to the driver software. 

74. (Previously Presented) The single-purpose hardware device as recited in claim 53, 
wherein the single-purpose hardware device further includes a first multiplexer 
configured to select a communication path to the MAC component from either the 
internal memory or the cryptographic component, and further includes a second 
multiplexer configured to select a communication path to the internal memory 
from either the MAC component or the cryptographic component. 
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